The 

General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data

protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also
addresses the transfer of personal data outside the EU and EEA areas. The GDPR's primary aim is to
enhance individuals' control and rights over their personal data and to simplify the regulatory
environment for international business.[1] Superseding the Data Protection Directive 95/46/EC, the
regulation contains provisions and requirements related to the processing of personal data of
individuals (formally called data subjects in the GDPR) who are located in the EEA, and applies to any
enterprise—regardless of its location and the data subjects' citizenship or residence—that is
processing the personal information of individuals inside the EEA.

The GDPR was adopted on 14 April 2016 and became enforceable beginning 25 May 2018. As the
GDPR is a regulation, not a directive, it is directly binding and applicable, but does provide flexibility
for certain aspects of the regulation to be adjusted by individual member states.

The regulation became a model for many national laws outside the EU,
including UK, Turkey, Mauritius, Chile, Japan, Brazil, South Korea, Argentina and Kenya.
The California Consumer Privacy Act (CCPA), adopted on 28 June 2018, has many similarities with the
GDPR.[2]

Contents

 1Contents

o 1.1General provisions

o 1.2Principles

o 1.3Rights of the data subject

 1.3.1Transparency and modalities

 1.3.2Information and access

 1.3.3Rectification and erasure

 1.3.4Right to object and automated decisions

o 1.4Controller and processor

 1.4.1Pseudonymisation

 1.4.2Records of processing activities

 1.4.3Security of personal data

 1.4.4Data protection officer

o 1.5Remedies, liability and penalties

 2Exemptions

 3Applicability outside of the European Union

o 3.1EU Representative
 o 3.2Third countries

o 3.3United Kingdom implementation

 4Reception

 5Impact

o 5.1Enforcement and inconsistency

o 5.2Influence on international laws

 6Timeline

 7EU Digital Single Market

 8See also

 9Notes

 10Citations

 11External links

Contents[edit]

The GDPR 2016 has eleven chapters, concerning general provisions, principles, rights of the data
subject, duties of data controllers or processors, transfers of personal data to third countries,
supervisory authorities, cooperation among member states, remedies, liability or penalties for
breach of rights, and miscellaneous final provisions.[3]

General provisions[edit]

The regulation applies if the data controller (an organisation that collects data from EU residents), or
processor (an organisation that processes data on behalf of a data controller like cloud service
providers), or the data subject (person) is based in the EU. Under certain circumstances,[4] the
regulation also applies to organisations based outside the EU if they collect or process personal data
of individuals located inside the EU. The regulation does not apply to the processing of data by a
person for a "purely personal or household activity and thus with no connection to a professional or
commercial activity." (Recital 18)

According to the European Commission, "Personal data is information that relates to an identified or

identifiable individual. If you cannot directly identify an individual from that information, then you
need to consider whether the individual is still identifiable. You should take into account the
information you are processing together with all the means reasonably likely to be used by either
you or any other person to identify that individual."[5] The precise definitions of terms such as
"personal data", "processing", "data subject", "controller", and "processor" are stated in Article 4 of
the Regulation.[6]

The regulation does not purport to apply to the processing of personal data for national security
activities or law enforcement of the EU; however, industry groups concerned about facing a
potential conflict of laws have questioned whether Article 48[6] of the GDPR could be invoked to seek
to prevent a data controller subject to a third country's laws from complying with a legal order from
that country's law enforcement, judicial, or national security authorities to disclose to such
authorities the personal data of an EU person, regardless of whether the data resides in or out of the
EU. Article 48 states that any judgement of a court or tribunal and any decision of an administrative
authority of a third country requiring a controller or processor to transfer or disclose personal data
may not be recognised or enforceable in any manner unless based on an international agreement,
like a mutual legal assistance treaty in force between the requesting third (non-EU) country and the
EU or a member state.[7] The data protection reform package also includes a separate Data
Protection Directive for the police and criminal justice sector that provides rules on personal data
exchanges at national, European, and international levels.[8]

A single set of rules applies to all EU member states. Each member state establishes an independent
supervisory authority (SA) to hear and investigate complaints, sanction administrative offences, etc.
SAs in each member state co-operate with other SAs, providing mutual assistance and organising
joint operations. If a business has multiple establishments in the EU, it must have a single SA as its
"lead authority", based on the location of its "main establishment" where the main processing
activities take place. The lead authority thus acts as a "one-stop shop" to supervise all the processing
activities of that business throughout the EU (Articles 46–55 of the GDPR)[9].[10] A European Data
Protection Board (EDPB) co-ordinates the SAs. EDPB thus replaces the Article 29 Data Protection
Working Party. There are exceptions for data processed in an employment context or in national
security that still might be subject to individual country regulations (Articles 2(2)(a) and 88 of the
GDPR).

Principles[edit]

Unless a data subject has provided informed consent to data processing for one or more purposes,
personal data may not be processed unless there is at least one legal basis to do so. Article 6 states
the lawful purposes are:[11]

 (a) If the data subject has given consent to the processing of his or her personal data;

 (b) To fulfil contractual obligations with a data subject, or for tasks at the request of a data
subject who is in the process of entering into a contract;

 (c) To comply with a data controller's legal obligations;

 (d) To protect the vital interests of a data subject or another individual;

 (e) To perform a task in the public interest or in official authority;

 (f) For the legitimate interests of a data controller or a third party, unless these interests are
overridden by interests of the data subject or her or his rights according to the Charter of
Fundamental Rights (especially in the case of children)[7]

If informed consent is used as the lawful basis for processing, consent must have been explicit for
data collected and each purpose data is used for (Article 7; defined in Article 4).[12][13] Consent must
be a specific, freely-given, plainly-worded, and unambiguous affirmation given by the data subject;
an online form which has consent options structured as an opt-out selected by default is a violation
of the GDPR, as the consent is not unambiguously affirmed by the user. In addition, multiple types of
processing may not be "bundled" together into a single affirmation prompt, as this is not specific to
each use of data, and the individual permissions are not freely given. (Recital 32)

Data subjects must be allowed to withdraw this consent at any time, and the process of doing so
must not be harder than it was to opt in. (Article 7(3)) A data controller may not refuse service to
users who decline consent to processing that is not strictly necessary in order to use the service.
(Article 7(4)) Consent for children, defined in the regulation as being less than 16 years old (although
with the option for member states to individually make it as low as 13 years old (Article 8(1)), must
be given by the child's parent or custodian, and verifiable (Article 8).[14][15]

If consent to processing was already provided under the Data Protection Directive, a data controller
does not have to re-obtain consent if the processing is documented and obtained in compliance with
the GDPR's requirements (Recital 171).[16][17]

Rights of the data subject[edit]

Transparency and modalities[edit]

Article 12 requires that the data controller provides information to the "data subject in a concise,
transparent, intelligible and easily accessible form, using clear and plain language, in particular for
any information addressed specifically to a child."[7]

Information and access[edit]

The right of access (Article 15) is a data subject right.[18] It gives people the right to access their
personal data and information about how this personal data is being processed. A data controller
must provide, upon request, an overview of the categories of data that are being processed (Article
15(1)(b)) as well as a copy of the actual data (Article 15(3)); furthermore, the data controller has to
inform the data subject on details about the processing, such as the purposes of the processing
(Article 15(1)(a)), with whom the data is shared (Article 15(1)(c)), and how it acquired the data
(Article 15(1)(g)).

A data subject must be able to transfer personal data from one electronic processing system to and
into another, without being prevented from doing so by the data controller. Data that has been
sufficiently anonymised is excluded, but data that has been only de-identified but remains possible
to link to the individual in question, such as by providing the relevant identifier, is not.[19] In practice,
however, providing such identifiers can be challenging, such as in the case of Apple's Siri, where
voice and transcript data is stored with a personal identifier that the manufacturer restricts access
to,[20] or in online behavioural targeting, which relies heavily on device fingerprints that can be
challenging to capture, send, and verify.[21]

Both data being 'provided' by the data subject and data being 'observed', such as about behaviour,
are included. In addition, the data must be provided by the controller in a structured and commonly
used standard electronic format. The right to data portability is provided by Article 20 of the GDPR.
[22]

Rectification and erasure[edit]

A right to be forgotten was replaced by a more limited right of erasure in the version of the GDPR
that was adopted by the European Parliament in March 2014.[23][24] Article 17 provides that the data
subject has the right to request erasure of personal data related to them on any one of a number of
grounds within 30 days, including noncompliance with Article 6(1) (lawfulness) that includes a case
(f) if the legitimate interests of the controller are overridden by the interests or fundamental rights
and freedoms of the data subject, which require protection of personal data (see also Google Spain
SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González).[7]

Right to object and automated decisions[edit]

Article 21 of the GDPR allows an individual to object to processing personal information for
marketing or non-service related purposes.[25] This means the data controller must allow an
individual the right to stop or prevent controller from processing their personal data.

There are some instances where this objection does not apply. For example if:

1. Legal or official authority is being carried out

2. "Legitimate interest," where the organisation needs to process data in order to provide the
data subject with a service they signed up for

3. A task being carried out for public interest.

GDPR is also clear that the data controller must inform individuals of their right to object from the
first communication the controller has with them. This should be clear and separate from any other
information the controller is providing and give them their options for how best to object to the
processing of their data.

There are instances the controller can refuse a request, in the circumstances that the objection
request is "manifestly unfounded" or "excessive", so each case of objection must be looked at
individually.[25] Other countries such as Canada [26]are also, following the GDPR, considering
legislation to regulate automated decision making under privacy laws, even though there are policy
questions as to whether this is the best way to regulate AI.

Controller and processor[edit]

Data controllers must clearly disclose any data collection, declare the lawful basis and purpose for
data processing, and state how long data is being retained and if it is being shared with any third
parties or outside of the EEA. Firms have the obligation to protect data of employees and consumers
to the degree where only the necessary data is extracted with minimum interference with data
privacy from employees, consumers, or third parties. Firms should have internal controls and
regulations for various departments such as audit, internal controls, and operations. Data subjects
have the right to request a portable copy of the data collected by a controller in a common format,
as well as the right to have their data erased under certain circumstances. Public authorities, and
businesses whose core activities consist of regular or systematic processing of personal data, are
required to employ a data protection officer (DPO), who is responsible for managing compliance with
the GDPR. Businesses must report data breaches to national supervisory authorities within 72 hours
if they have an adverse effect on user privacy. In some cases, violators of the GDPR may be fined up
to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case
of an enterprise, whichever is greater.

To be able to demonstrate compliance with the GDPR, the data controller must implement measures
that meet the principles of data protection by design and by default. Article 25 requires data
protection measures to be designed into the development of business processes for products and
services. Such measures include pseudonymising personal data, by the controller, as soon as
possible (Recital 78). It is the responsibility and the liability of the data controller to implement
effective measures and be able to demonstrate the compliance of processing activities even if the
processing is carried out by a data processor on behalf of the controller (Recital 74).[7] When data is
collected, data subjects must be clearly informed about the extent of data collection, the legal basis
for the processing of personal data, how long data is retained, if data is being transferred to a third-
party and/or outside the EU, and any automated decision-making that is made on a
solely algorithmic basis. Data subjects must be informed of their privacy rights under the GDPR,
including their right to revoke consent to data processing at any time, their right to view their
personal data and access an overview of how it is being processed, their right to obtain a portable
copy of the stored data, their right to erasure of their data under certain circumstances, their right
to contest any automated decision-making that was made on a solely algorithmic basis, and their
right to file complaints with a Data Protection Authority. As such, the data subject must also be
provided with contact details for the data controller and their designated data protection officer,
where applicable.[27][28]

Data protection impact assessments (Article 35) have to be conducted when specific risks occur to
the rights and freedoms of data subjects. Risk assessment and mitigation is required and prior
approval of the data protection authorities is required for high risks.

Article 25 requires data protection to be designed into the development of business processes for
products and services. Privacy settings must therefore be set at a high level by default, and technical
and procedural measures should be taken by the controller to make sure that the processing,
throughout the whole processing lifecycle, complies with the regulation. Controllers should also
implement mechanisms to ensure that personal data is not processed unless necessary for each
specific purpose.

A report[29] by the European Union Agency for Network and Information Security elaborates on what
needs to be done to achieve privacy and data protection by default. It specifies that encryption and
decryption operations must be carried out locally, not by remote service, because both keys and
data must remain in the power of the data owner if any privacy is to be achieved. The report
specifies that outsourced data storage on remote clouds is pr